The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Data communication networks use services such as compression, latency reduction, intrusion prevention, data leakage, and firewalls. These services are required to act directly on the traffic that passes through them. Technical advances are resulting in services that have greater awareness of information represented in a message at the application layer of the OSI network reference model, or represented in a message payload, as compared to the network packet level. However, these services cannot inspect or modify information at the application level when the information is encrypted. This problem occurs for any encrypted stream or tunnel traversing one of these services.
Examples of cryptographic protocols that create this problem include SSL/TLS and IPsec. While these cryptographic protocols can provide a secure cryptographic connection between two devices, so that the secure channel is unintelligible to all other devices, there are situations in which it is desirable to allow other devices to listen in on a particular cryptographic connection. In many cases there is a need to monitor traffic for conformance to a security policy. Another situation is the need to debug a particular implementation using an external application such as tcpdump. The former case is especially important for network firewalls, which in some instances cannot perform their monitoring functions in the presence of encrypted traffic. Additionally, some firewall functions such as telephony require access to signaling traffic in order to work at all.